2358755 – (CVE-2025-32386) CVE-2025-32386 helm.sh/helm/v3: Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination

Bug 2358755 (CVE-2025-32386) - CVE-2025-32386 helm.sh/helm/v3: Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination

Summary: CVE-2025-32386 helm.sh/helm/v3: Helm Allows A Specially Crafted Chart Archive...

Keywords:
Status:	NEW
Alias:	CVE-2025-32386
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-09 23:01 UTC by OSIDB Bzimport
Modified:	2025-04-10 04:29 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-09 23:01:15 UTC

Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate. This issue has been resolved in Helm v3.17.3.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adudiak
alcohan
brainfor
cdaley
dfreiber
drow
gparvin
jburrell
jchui
jforrest
jhe
jkoehler
jwendell
kshier
ktsao
ldai
lphiri
lsharar
lucarval
nboldt
njean
omaciel
owatkins
pahickey
psrna
rcernich
rhaigner
stcannon
vkumar
yguenane